The following settings affect all identity providers that Identity Server has been configured to trust.
Click Devices > Identity Servers > Edit > Identity Providers.
To specify identity provider settings, fill in the following fields:
Show logged out providers: Displays logged-out providers on the identity provider’s logout confirmation page.
Require Signed Authentication Requests: Specifies that for the Liberty 1.2 and SAML 2.0 protocols, authentication requests from service providers must be signed. When you enable this option for the identity provider, you must also enable the Sign Authentication Requests option under the Identity Consumer heading on this page for the external trusted service provider.
Use Introductions (Publish Authentications): Enables single sign-on from the service provider to the identity provider. The service provider determines the identity providers that users are already logged into, and then selectively and automatically asks for authentication from one of the identity providers. Introductions are enabled only between service and identity providers that have agreed to a circle of trust, which means that they have agreed upon a common domain name for this purpose.
After authenticating a user, the identity provider accesses a service at the service domain and writes a cookie to the common part of the service domain, publishing that the authentication has occurred.
Service Domain (Local and Common): Enables a service provider to access a service at the service domain prior to authenticating a user. This service reads cookies obtained at this domain and discovers if any identity providers have provided authentication to the user. The service provider determines whether any of these identity providers can authenticate a user without credentials. The service domain must resolve to the same IP address as the base URL domain.
For example, if an agreed-upon common domain is xyz.com, the service provider can specify a service domain of sp.xyz.com, and the identity provider can specify a service domain of idp.xyz.com. For the identity provider, xyz.com is the common value entered, and idp is the local value.
Port: The port to use for identity provider introductions. Port 8445 for HTTPS is the default and must be opened on your firewall. If you specify a different port, you must edit the Tomcat server.xml file.
SSL Certificate: Displays the Keystore page that you use to locate and replace the test-provider SSL certificate for this configuration.
Identity Server comes with a test-provider certificate that you must replace for your production environment. This certificate is used for identity provider introductions. You can replace the test certificate now or after you have configured Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores.
Click OK, then update Identity Server.
Many applications and services require URL redirection, which can cause security risks. While redirecting, the request can be tampered to redirect users to an external, malicious site. To prevent such issues, you can configure a list of permissible domains. Redirection is allowed only to these configured domains.
Click Devices > Identity Servers > Edit > Identity Providers.
Under Redirection White List, click New.
Specify Domain.
You can specify a domain name with an asterisk wildcard character (*) that represents the entire DNS subtree. For example, specifying *.example.com as a domain allows redirection to all children domain under examle.com including example.com. The WWW prefix is not required. You can specify the asterisk (*) wildcard only at the lowest level of the subtree.
For example:
Valid domain name: *.example.com
Invalid domain name: innerweb.*.com.
You must configure at least one domain to prevent open redirection.
Liberty: The target parameter is filtered. If the requested target is not the white list, Identity Server does not login.
WS-Fed: The wreply parameter is filtered. If the requested wreply is not in the white list, Identity Server does not login. However, if wreply is same as the provider's single logout or single sign-on URL domain, the request is accepted.
SAML2: For idpsend, the target parameter is filtered using this list. This list is not applicable for spsend.